• simplification ahead

    Congress Gets Detailed Cybersecurity Advice From AAFP

    Interoperability, Administrative Simplification Are Key Concerns

    Jan. 11, 2023, 6:17 p.m. News Staff — The AAFP is reminding legislators about family physicians’ cybersecurity concerns while outlining policy goals related to health data and interoperability. 

    Padlock on a keyboard next to a stethoscope

    “Congress must take action to protect personal and health data outside of HIPAA and ensure cybersecurity and privacy rules extend beyond the HIPAA regulatory framework,” the AAFP wrote to Sen. Mark Warner, in response to a “policy options document” from his office titled “Cybersecurity Is Patient Safety: Policy Options in the Health Care Sector.” The document asked for feedback from health care stakeholders.

    With these same goals in mind, the Academy later wrote to House and Senate sponsors of the Healthcare Cybersecurity Act of 2022 (S. 3904 / H.R. 8806), expressing support for that legislation.

    “Information sharing between HHS, other federal partners and health care organizations is critical to encouraging uptake of cybersecurity best practices across the health care industry,” said that letter. “This legislation is a great first step to accomplish this, and the AAFP urges Congress to consider ways to make information readily available to physician practices of all types, settings and sizes, particularly small and independent physician practices who may be under resourced.”


    The digitization of health data has eased patients’ access to their own health information but also elevated the risk of cyberattack against all health care organizations. Health data are attractive to cyber criminals because they often contain personal and financial information and are often widespread across a patient’s care network. That vulnerability has been expensive: The health care industry has reported the highest average cost of a breach for 12 consecutive years, with the average toll for such an event $10.1 million. Hacking also disrupts workflow and interrupts patient care, including the delay of tests and procedures, which can lead to negative health consequences for patients.

    Story Highlights

    “The AAFP has long supported policies that guarantee the appropriate security of protected health information while working to improve patients’ access to their data, as well as the ability to share patients’ health information across the care team,” the earlier letter said. “We are strongly supportive of making data reliably interoperable while maintaining patient confidentiality and the fundamental right to privacy.”

    “The rapid move to this electronic era of health care has unavoidably introduced the risk of cyberattacks for all health care organizations,” the Academy wrote. Noting that more than 45 million people “were affected by cybersecurity attacks on health care professionals in 2021,” the letter added that, while patient health data privacy and security are a high priority for physician practices, “not all of them have the resources, financial capacity or technical knowledge needed to properly establish and implement best practices in cybersecurity.”

    AAFP Policy Guidance

    “Congress should encourage the Office of the National Coordinator for Health IT to consider including cybersecurity framework best practices in health IT certification as one strategy to arrive at industry-wide adoption of standard best practices,” the Academy told Warner’s office. “If all EHR vendors are required to incorporate these practices into their technology, this would enable smaller physician practices who purchase and utilize their software and systems but lack their own IT resources to benefit from basic cybersecurity protections.

    “In the meantime, the AAFP recommends Congress consider ways to encourage all health entities to adopt voluntary guidance from the National Institute of Standards and Technology, with technical assistance and support for effective implementation in real-world settings.”

    Other recommendations the Academy made included

    • a workforce development program to address significant health care cybersecurity staffing shortages by introducing incentives for such professionals to work in rural, independent and small practices, those in underserved communities, and communities with health professional shortages, modeled on the ONC’s Regional Extension Center program;
    • student loan forgiveness or repayment programs that would allow cybersecurity professionals to spend several years serving health care organizations in rural or underserved communities and smaller health care organizations, especially safety-net facilities;
    • leadership from Congress and HHS toward building a robust set of best practices and implementation guides with specific real-world guidance to improve cybersecurity practices in all health care settings, available to physician practices of all types, settings and sizes;
    • incentives for compliance with minimum cybersecurity practices rather than penalties for noncompliance, within a policymaking stance focused on quality improvement and assurance rather than blame and penalties;
    • high cybersecurity standards and compliance with industry best practices mandated for certified EHR and medical device vendors;
    • express accounting for cybersecurity expenses reflected in Medicare payment (incorporated into practice expense and other formulae, as are other basic expenses) are; and
    • congressional support for, and regulation of, cyber insurance to allow smaller health care organizations to afford coverage (including, for example, minimum coverage provisions as guardrails against junk plans).

    Because the HIPAA privacy rule protects only health care data maintained by a covered entity or its business associates, the letter also called on Congress to “take action to protect personal and health data outside of HIPAA and ensure cybersecurity and privacy rules extend beyond the HIPAA regulatory framework.” The Academy urged this and related protections in a Sept. 15, 2022, letter to the U.S. House Energy and Commerce Committee.

    Administrative Simplification

    The document from Warner’s office asked how Congress should work with HHS to improve cybersecurity resources and capabilities and whether the Health Information Sharing and Analysis Center is “the best entity for information sharing among health care organizations.” Answering that question and its follow-up — “Would an incentive for smaller health-sector entities be beneficial to the nation’s health care system?” — the Academy pushed for solutions that would not add administrative complexity to family medicine practices.

    “Given that access to resources through H-ISAC requires a paid membership, cost is likely to be a barrier for smaller organizations benefiting,” the AAFP said. “We encourage Congress to evaluate the effectiveness of H-ISAC and, if it is determined to be the best entity for information sharing across health care organizations, consider federal funding and a government-private sector partnership to significantly expand access to its resources for smaller and under-resourced physician practices.

    “Congress must consider ways that small and independent physician practices can benefit from and realistically implement practices included in the offered resources without being required to be a member of H-ISAC.”

    Both letters advocated for other cost-limiting, policy streamlining and workforce development programs that would strengthen health data security without adding administrative burden to physicians.

    In supporting the Healthcare Cybersecurity Act, the Academy noted that the bill would provide for greater coordination and information sharing among the Cybersecurity and Infrastructure Security Agency, HHS and health care entities, a move toward administrative simplification. It also would set in motion a number of the priorities outlined in the Academy’s letter to Sen. Warner, including training for health care entities on cybersecurity risks and mitigation strategies and initiatives to address cybersecurity workforce shortages for health care organizations, particularly rural and small and medium-sized organizations.

    The Academy is also tracking the Health Care Providers Safety Act (H.R. 7814 / S. 4268), which would establish a grant program for health care organizations to enhance the physical and cyber security of their facilities, personnel and patients, in line with the AAFP’s policy recommendations.